August 2014 Patch Tuesday Preview

While the Black Hat security conference is ongoing in Las Vegas (stay tuned to this blog for a rundown of our favorite presentations), Microsoft has published theirAdvance Noticefor the month of August. That document gives us an idea of the size of next week’s Patch Tuesday: we will get nine bulletins affecting a wide variety of Microsoft software including Internet Explorer, Windows, Office, SQL Server and Sharepoint. Two of the bulletins are rated “critical,” as they allow for Remote Code Execution (RCE) and a third one for Microsoft Office OneNote also provides RCE capabilities.

The most critical patch is Bulletin #1 which affects all versions of Internet Explorer (IE), all the way from IE 6 to the newest IE 11 on Windows 8.1 and RT. Since browsers are the attackers favorite targets, this patch should be top of your list. An attacker would exploit this vulnerability on your users through a malicious webpage. These pages can be on sites that are either set up specifically for this purpose, requiring him or her to attract your users to the site or are on sites that are already under control of the attacker with an established user community, such as blogs and forums.

Bulletin #2 is a critical update for Windows and affects Windows 7 and Windows 8, plus the Media Center TV pack for Vista. I believe it must be address bugs in the graphics processing pipeline, most likely in an online video component. An attacker would have to trick you into opening a file. Microsoft’s rating of "critical" indicates that your users can trigger this bug by simply surfing to a malicious webpage, so no special interaction is required.

Bulletin #3 affect the popular OneNote application in Office 2007. It is a file format vulnerability and provides Remote Code Execution. An attacker would have to convince your users to open a malicious file, most likely with a targeted e-mail. Of course if you do not have OneNote installed or are on a newer version of Microsoft Office (you really should be, as 2007 lacks many of the newer security features), you are not affected.

Bulletin #4 is an important vulnerability in SQL Server 2008, 2012 and 2014. The vulnerability can be used for a local elevation of privilege, meaning the attacker already needs to have an account on the targeted machine. It really depends on your usage of SQL Server, but most likely this vulnerability cannot be used by itself.

Bulletin # 5 and #6 are elevation of privilege vulnerabilities in Windows. They are local vulnerabilities and cannot be used to achieve code execution remotely through the network. They require the attacker to be on the machine already as a standard user. Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers gets an account on the machine, say through stolen credentials. As we explained already last month, in any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.

Bulletin #7 is a vulnerability in SharePoint Server 2013. Take a close look when more details become available to see what capabilities it provides to an attacker.

Bulletin #8 and #9 are both of type Security Feature Bypass, #8 in .NET and #9 in the newer version of Windows. These will be interesting for us to see how an attacker can use weaknesses in the design of a security tool to gain access to advanced privileges.

Lastly, Microsoft provided some information on a new security capability in Internet Explorer. In a blog post they explained how IE will refuse to run outdated versions of ActiveX controls. Right now this new feature is focused on assuring that no old version of Java can run in the Internet zone, but the feature can easily be extended to other ActiveX controls. This is a great idea, plus Microsoft made the capability manageable through GPOs, which is something that enterprise admins will appreciate. Take a look at the post and let me know whether you think this will be useful in your setup.